company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Databreach

Healthsector

loading..
loading..
loading..

21.3 million healthcare records were breached by hackers in the second half of 2020

A new data breach analysis from CI Security establishes that hackers are going after medical billing and insurance companies.

11-Feb-2021
3 min read

No content available.

Related Articles

loading..

Android

Anatsa Android banking trojan infiltrates Google Play, hits 90k US/Canada users ...

The **Anatsa (a.k.a. TeaBot)** Android banking trojan has launched its first large-scale campaign in the United States and Canada, hiding inside a popular “Document Viewer – File Reader” app on Google Play. The dropper accumulated roughly **90,000 installs in six weeks** before Google removed it, providing attackers with a foothold to steal credentials, keylog sessions, and automate fraudulent transactions against a broadened list of North American financial apps. ThreatFabric analysts say the campaign mirrors five earlier European waves, yet shows a sharper focus on U.S. institutions and improved evasion tactics, such as deceptive maintenance overlays that mask fraud in real-time. ## Anatsa at a Glance | Attribute | Details | |-----------|---------| | First seen | 2020 | | Aliases | TeaBot, Toddler | | Primary vector | Google Play droppers (PDF, QR, cleaner, file viewers) | | Targets | 650+ banking/finance apps worldwide | | Capabilities | Credential overlays, Accessibility abuse, Keylogging, On-device fraud (DTO) | Anatsa’s operators periodically pause distribution, refine the code, and then return with region-specific waves that quickly accumulate tens of thousands of installs before being taken down. ## Proven Five-Step Campaign Process ThreatFabric’s long-term telemetry shows each wave follows a consistent, **five-step pattern**: 1. **Developer profile creation** on Google Play. 2. **Legitimate utility app release** (e.g., PDF reader) to build trust and reviews. 3. **User-base growth** to reach Google Charts’ Top-Free lists, boosting visibility. 4. **Malicious update** that silently side-loads Anatsa via an external payload. 5. **Dynamic targeting**—the trojan fetches an updated list of banking package names from its C2, enabling on-the-fly expansion. This cyclic approach lets the gang bypass store vetting, exploit user ratings as social proof, and keep infections geographically tailored. ## How the North-American Dropper Worked The 2025 campaign’s dropper package **com.stellarastra.maintainer.astracontrol_managerreadercleaner** looked and behaved as a genuine file viewer until June 24. An update then added code that: * Requested **AccessibilityService** permission to automate taps. * Downloaded a second-stage DEX from the C2, loading the full Anatsa payload in memory. * Displayed a **“Scheduled Maintenance”** overlay whenever victims opened any targeted banking app—blocking calls to customer support while credentials were siphoned. ### Timeline of the U.S.–Canada Wave | Date | Milestone | |------|-----------| | 07 May 2025 | App first published on Google Play | | 29 Jun 2025 | Climbed to #4 in “Top Free – Tools” chart (US) | | 24-30 Jun 2025 | Malicious update pushed; active distribution window | | 01 Jul 2025 | Google removes app after ThreatFabric report | ## Rapid Growth of Anatsa Download Waves The North-American dropper continues a multi-year pattern of explosive install counts that outpace store defenses. ## Impacted Banking Apps and Fraud Techniques installed, Anatsa can: * **Harvest credentials** via WebView-based overlays that mimic sign-in pages. * **Intercept SMS 2FA codes** through granted accessibility hooks. * **Perform full Device-Takeover Fraud (DTO)**—initiating transfers directly from the victim’s handset to bypass behavioral analytics[6]. ThreatFabric observed **an expanded target list of U.S. institutions**, including tier-1 retail banks, credit unions, and investment apps, alongside Canadian banking brands. ## Why Tools-Category Apps Dominate Analysis by Zscaler shows **“Tools”** utilities account for 40% of droppers because they plausibly request powerful permissions (storage, accessibility) without raising suspicion. ## Google Play’s Unresolved Malware Gap Google’s policy requires any app asking for AccessibilityService to justify the need, yet Anatsa operators still bypass vetting by shipping **clean version 1.0** and weaponizing the first update—a tactic that evades automated static analysis and most manual reviews[3]. Until store workflows verify **runtime behavior** and cross-check update diffs, high-download droppers will continue to pose a recurring threat vector. ## Indicators of Compromise & Mitigation **IOC Highlights (July 2025 wave)** - Malicious PDF update domain: `menusand.com` - C2 API endpoint: `185.215.113.31:85/api` - Package name: `com.stellarastra.*reader*cleaner` **Recommended Actions for Enterprises** 1. **Block known IOCs** at MDM and network layers. 2. **Harden mobile apps** with root/jailbreak detection, certificate pinning, and overlay protection. 3. **Leverage Play Integrity API** to spot modified or repackaged environments. 4. **Deploy behavioral fraud analytics** capable of detecting DTO patterns (e.g., anomalous device biometrics, impossible timing). 5. **Educate customers**: limit installs to trusted vendors, revoke unnecessary permissions, enable Play Protect scans. ## Strategic Take-aways for Banks & Developers | Risk Driver | Strategic Response | |-------------|-------------------| | Dropper stealth via staged updates | Continuous mobile-app telemetry, store-update diff scanning | | Accessibility abuse for DTO | In-app detection of suspicious accessibility events; enforce step-up verification | | Overlay credential theft | Implement secure keyboard frameworks and deep-link sign-in to thwart overlays | | Geo-targeted target lists | Monitor for sudden spikes in fraud from specific mobile OS versions or locales | | Store takedown lag | Maintain threat-intel feeds and warn users faster than official store actions | The latest **Anatsa incursion into North America** underscores the persistent gap between official-store defenses and agile malware operators.

loading..   09-Jul-2025
loading..   4 min read
loading..

Ingram

Safepay

SafePay ransomware cripples Ingram Micro's global operations, disrupting IT supp...

The technology distribution giant Ingram Micro confirmed on July 6, 2025, that it had fallen victim to a sophisticated ransomware attack by the rapidly emerging SafePay cybercriminal group, marking one of the most significant supply chain disruptions in the IT industry this year. The attack, which began on July 3, has crippled the company's global operations, leaving thousands of managed service providers (MSPs), resellers, and enterprise customers unable to access critical services, place orders, or manage software licenses. ## Attack Timeline: From Breach to Crisis The Ingram Micro incident unfolded over five critical days, escalating from an initial security breach to a full-scale operational crisis that exposed the vulnerability of global IT supply chains. ### July 3: Initial Detection The attack was first detected at approximately 8:00 AM Eastern Time on July 3, 2025, when Ingram Micro's security monitoring systems identified anomalous network activity[1][4]. By this time, SafePay ransomware had already begun encrypting critical internal systems and deploying ransom notes across employee devices[1][5]. ### July 4: System Shutdown As the extent of the breach became clear, Ingram Micro proactively took key systems offline, including its flagship AI-powered Xvantage distribution platform and the Impulse license provisioning system[1][6][7]. The company's websites went dark, displaying only maintenance messages, while customer portals became completely inaccessible[6][8]. ### July 5-6: Communication Crisis The company's initial silence sparked widespread frustration among partners and customers. MSPs reported being unable to serve their clients, while resellers found themselves locked out of ordering systems during critical end-of-quarter sales periods. One SP500 company CEO told CRN: _"This is our worst nightmare come true. If we can't place orders or get quotes, it stops our business"_. ### July 6: Official Confirmation After three days of speculation, Ingram Micro officially confirmed the ransomware attack in a brief statement: _"Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline"_. ## SafePay Ransomware: Rapid Rise of a New Threat The attack on Ingram Micro represents the latest high-profile victim of SafePay, a ransomware group that has experienced meteoric growth since its emergence in September 2024. ### From Obscurity to Market Leader SafePay's trajectory has been remarkable in the ransomware landscape. Starting with just 5 victims in September 2024, the group rapidly scaled its operations, reaching a peak of 70 attacks in May 2025 and claiming the #1 position among active ransomware groups. This growth occurred despite—or perhaps because of—the disruption of major ransomware operations like LockBit and ALPHV in 2024. ### Unique Operational Model Unlike most modern ransomware groups that operate under a Ransomware-as-a-Service (RaaS) model, SafePay maintains direct control over its operations. The group explicitly states on its dark web leak site: _"SAFEPAY RANSOMWARE HAS NEVER PROVIDED AND DOES NOT PROVIDE THE RAAS"_. This approach offers better operational security but limits scalability compared to affiliate-based models. ### Double-Extortion Tactics SafePay employs sophisticated double-extortion techniques, stealing sensitive data before encrypting systems and threatening public disclosure if ransom demands are not met. The group's ransom note to Ingram Micro stated: _"We are the ones who can correctly decrypt your data and restore your infrastructure,"_ demanding payment within seven days. ## Technical Attack Vector: GlobalProtect VPN Vulnerability Security researchers believe the Ingram Micro breach originated through the company's GlobalProtect VPN platform, highlighting persistent vulnerabilities in enterprise VPN solutions. ### Exploitation of Network Misconfigurations In their ransom note, SafePay claimed that Ingram Micro's _"IT specialists made a number of mistakes in setting up the security of your corporate network," allowing the attackers to maintain persistent access for an extended period. The group characterized the breach as "_ a paid training session for your system administrators"_. ### Systemic VPN Vulnerabilities The attack underscores broader concerns about VPN security in enterprise environments. Multiple critical vulnerabilities in Palo Alto Networks' GlobalProtect have been disclosed in 2025, including [CVE-2025-0120](https://nvd.nist.gov/vuln/detail/CVE-2025-0120), CVE-2025-0117, and CVE-2025-0133. These flaws have enabled privilege escalation, credential theft, and remote code execution in various configurations. ## Supply Chain Paralysis The Ingram Micro attack has created unprecedented disruption across the global IT supply chain, affecting multiple stakeholder groups with varying degrees of severity. ### MSPs Bear the Brunt Managed Service Providers have experienced the most severe impact, with many unable to serve their clients effectively. The disruption has prevented MSPs from managing Microsoft 365 licenses, provisioning software, and accessing critical backup systems. Stanley Louissaint, founder of New Jersey-based MSP Fluid Designs, described the situation: _"The biggest issue in this situation isn't even the attack itself. It's the lack of openness and communication"_. ### Reseller Operations Halted Technology resellers worldwide have been unable to place orders for hardware and software, disrupting sales cycles and customer deliveries. The timing coincided with end-of-quarter sales periods, amplifying the financial impact for many partner organizations. ### Global Operations Affected Ingram Micro's global reach—spanning 200 countries with 24,000 employees and $48 billion in annual revenue—means the disruption has had worldwide implications. Regional operations in the Middle East, Europe, and Asia-Pacific have all reported significant impacts. ### Financial Implications Based on Ingram Micro's Q1 2025 revenue of $12.3 billion, the company generates approximately $137 million in daily revenue. Conservative estimates suggest the ongoing outage could result in daily losses of $5-15 million, potentially reaching $50-200 million for an extended disruption. ## Industry Response and Customer Migration The prolonged outage has prompted customers to seek alternative suppliers, highlighting the concentration risk in the IT distribution market. ### Competitors Gain Ground Major competitors like TD Synnex have reportedly seen increased inquiry volumes as Ingram Micro customers seek alternative sourcing options. Some organizations have proactively reached out to alternative distributors to maintain business continuity during the outage. ### Communication Failures Compound Impact Industry observers have criticized Ingram Micro's initial communication strategy. The company remained silent for nearly three days, providing only generic _"technical difficulties"_ messages while customers and partners struggled with service disruptions. This communication vacuum amplified customer frustration and uncertainty. ### Broader Supply Chain Vulnerabilities The incident has highlighted the systemic risks associated with supply chain concentration. A recent ISACA survey found that 73% of IT professionals consider ransomware the top supply chain risk, with 52% of organizations having experienced supply chain compromises.

loading..   07-Jul-2025
loading..   6 min read
loading..

NetScaler

Citrix NetScaler security patch causes login issues due to new CSP settings. Lea...

Citrix has issued a critical security patch for NetScaler appliances to address two severe vulnerabilities, including the high-profile “CitrixBleed 2” flaw. However, the latest update has led to unexpected login failures for many organizations, with administrators reporting blank authentication pages and broken third-party integrations. This article explains the root cause, impact, and actionable solutions, while following on-page SEO best practices to ensure clarity and search visibility. ### What Changed in the Latest Citrix NetScaler Update? The July 2025 Citrix NetScaler patch addresses two major vulnerabilities: CVE-2025-5777 (CitrixBleed 2), which allows session hijacking, and CVE-2025-6543, an actively exploited denial-of-service bug. With these fixes, Citrix also silently enabled a strict Content-Security-Policy (CSP) header by default on Gateway and AAA virtual servers. This security enhancement is designed to block malicious scripts and prevent cross-site scripting (XSS) attacks. ### Why Are Login Pages Failing After the Patch? Many organizations use custom authentication flows, third-party identity providers (IdPs) like DUO, Azure AD, Okta, or SAML, and legacy JavaScript on their NetScaler login pages. The newly enforced CSP header—specifically `default-src 'self'`—blocks any inline scripts or external resources not explicitly allowed. As a result, essential scripts for rendering login prompts or handling authentication are blocked by the browser, leading to blank or partially loaded login pages and failed authentication attempts. ### How to Fix NetScaler Login Issues After the Patch Citrix recommends a two-step workaround to restore access while maintaining security: 1. **Temporarily disable the default CSP header** using the following command: ``` set aaa parameter -defaultCSPHeader DISABLED save ns config flush cache contentgroup loginstaticobjects ``` This can also be done via the GUI under NetScaler Gateway > Global Settings > Change Authentication AAA Settings. 2. **Flush cached objects** to ensure the latest login resources are served. Administrators should retest the login portal after applying these changes. If problems persist, Citrix advises contacting support with the affected configuration. ### Security Trade-Offs While disabling the CSP header restores login functionality, it also reopens the client-side attack surface that the CSP was designed to protect. Organizations must weigh the immediate need for user access against the risk of XSS and other browser-based vulnerabilities. Citrix recommends disabling CSP only as a temporary measure and working toward a compliant, granular CSP policy that allows necessary scripts and resources without broadly reducing security. ### Long-Term Remediation Strategy - **Patch promptly** to eliminate the critical vulnerabilities exploited in the wild. - **Audit all custom authentication flows and scripts** used on NetScaler login pages. - **Develop a tailored CSP policy** that whitelists only required domains and scripts. - **Test and document** all changes to ensure future updates do not disrupt access. - **Terminate all active sessions** after applying the CitrixBleed 2 patch to prevent session token replay attacks. ### Security vs. Usability This incident highlights the ongoing challenge of balancing robust security controls with business continuity. The Citrix NetScaler update demonstrates how even well-intentioned security enhancements can disrupt critical workflows if not communicated and tested thoroughly. Administrators are urged to stay informed about vendor advisories and to proactively review custom integrations for compatibility with evolving security standards. The Citrix NetScaler patch for CitrixBleed 2 and related vulnerabilities is essential for protecting enterprise infrastructure from active threats. However, the introduction of a default CSP header has caused widespread login failures for organizations relying on custom or third-party authentication. By following Citrix’s recommended workaround and developing a long-term CSP strategy, administrators can restore access while maintaining a strong security posture. Staying current with security updates and best practices ensures both protection and operational resilience in today’s threat landscape.

loading..   03-Jul-2025
loading..   4 min read